Location

Location
The tests you’re performing dictate where you must run them from. Your goal
is to hack your systems from locations where malicious hackers can access
the systems. You can’t predict whether you’ll be attacked by a hacker from
outside or inside your network, so cover all your bases. Combine external
(public Internet) tests and internal (private network) tests.
You can perform some tests, such as password cracking and network-infrastructure
assessments, from the comfort of your office — inside the network.
But it may be better to have a true outsider perform other tests on routers,
firewalls, and public Web applications.
For your external hacks that require network connectivity, you may have to
go off-site (a good excuse to work from home) or use an external proxy server.
Better yet, if you can assign an available public IP address to your computer,
plug into the network on the outside of the firewall for a hacker’s-eye view of
your systems. Internal tests are easy because you need only physical access
to the building and the network.
Reacting to major exploits that you find
Determine ahead of time whether you’ll stop or keep going when you find a
critical security hole. Your manager or your customer may not ask you to,
but I think it’s best to keep going to see what else you can discover. I’m not
saying to keep hacking until the end of time or until you crash all your systems.
Simply pursue the path you’re going down until you can’t hack it any
longer (pun intended).
Silly assumptions
You’ve heard what you make of yourself when you assume things. Even so,
you must make assumptions when you hack your systems. Here are some
examples of those assumptions:
Computers, networks, and people are available when you’re testing.
You have all the proper hacking tools.
The hacking tools you’re using won’t crash your systems.
Your hacking tools actually work.
You know all the risks of your tests.
You should document all assumptions and have management or your customer
sign off on them as part of your overall approval process.
36 Part I: Building the Foundation for Ethical Hacking
Selecting Tools
The required security-assessment tools (hacking tools) depend on the tests
you’re running. You can perform some ethical hacking tests with a pair of
sneakers, a telephone, and a basic workstation on the network. However,
comprehensive testing is easier with hacking tools.
Not only do you need an arsenal of tools, but you should also use the right
tool for the task:
If you’re cracking passwords, a general port scanner such as SuperScan
or Nmap may not do the trick. For this task, you need a tool such as LC4,
John the Ripper, or pwdump.
If you’re attempting an in-depth analysis of a Web application, a Webapplication
assessment tool (such as Nikto or WebInspect) is more
appropriate than a network analyzer such as Ethereal.
If you’re not sure what tools to use, fear not. Throughout this book, I introduce
a wide variety of tools — both free and commercial — that you can use
to accomplish your tasks.
You can choose among hundreds, if not thousands, of tools for ethical
hacking — everything from your own words and actions to software-based
vulnerability-assessment programs to hardware-based network analyzers.
Here’s a rundown of some of my favorite commercial, freeware, and opensource
security tools:
@stake L0phtcrack (now called LC4)
Ethereal
Foundstone SuperScan
Qualys QualysGuard
GFI LANguard Network Security Scanner
John the Ripper
Network Stumbler
Nessus
Nikto
Nmap
Pwdump2
SPI Dynamics WebInspect
THC-RUT
ToneLoc